[Samba] Authentication issue after updating samba on CentOS 7 (from yum)
rpenny at samba.org
Wed Dec 22 17:05:33 UTC 2021
On Wed, 2021-12-22 at 19:34 +0300, Alex wrote:
> Hello Rowland,
> Thank you for your prompt reply!
> > > smb.conf:
> > > [global]
> > > workgroup = DOMAIN
> > > server string = vm-corp
> > > netbios name = VM-CORP
> > > realm = DOMAIN.BIZ
> > > security = ads
> > > template shell = /sbin/nologin
> > So, your users never log into the server directly, just via Samba.
> Most users don't. Some of them that are allowed have a shell defined
> in the AD (loginShell attribute).
> > > idmap config * : backend = tdb
> > > idmap config * : range = 16777216-33554431
> > Is there some reason for that range ? It will allow you 16777215
> > users
> > & groups for something that requires only about 200.
> I think it's a legacy. Don't remember why it's here. I'll try to
> remove it.
You are probably stuck with it.
> > > idmap config DOMAIN:backend = ad
> > > idmap config DOMAIN:schema_mode = rfc2307
> > > idmap config DOMAIN:range = 400-999999
> > Again why the strange range, do you have users & groups with
> > uidNumber
> > & gidNumber attributes that low ?
> This is also a legacy thing. There're users in the AD with uidNumber
> starting from 400.
Okay, I was just checking, some people think they need a range like
that because they are using the winbind 'ad' backend, but they don't
actually add any RFC2307 attributes to AD.
> > > idmap config DOMAIN:unix_primary_group = yes
> > Do your users have gidNumber attributes.
> Yes, they do. This came from MS Services for Unix.
Have you actually checked, MS-SFU didn't add a gidNumber attribute to
users, unless you told it to.
> > > idmap config DOMAIN:unix_nss_info = yes
> > This is interesting, you only need that if your users have a
> > unixHomeDirectory attribute (at least), yet you are not using
> > '[homes]'
> > below.
> Yes, they do have unixHomeDirectory attribute.
> > > winbind use default domain = true
> > > winbind offline logon = false
> > > winbind enum users = Yes
> > > winbind enum groups = Yes
> > You do not need the 'enum' lines, it works without them.
> There was an issue w/o the enum lines. Unfortunately, I don't
> remember exactly what it was, probably couldn't retrieve groups from
> the AD with "getent group" command.
Adding those lines would not fix such a problem, either it would work
or it wouldn't. All those lines do is to get 'getent user' to display
all users and 'getent group' to display all groups, along with slowing
> > > [username]
> > > comment = username's home
> > > path = /home/username
> > > read only = No
> > > create mode = 0660
> > > valid users = username
> > As noted above, why are you not using '[homes]' ?
> It's b/c most users are prohibited from using this server. So, I
> allowed homes on this server for just a few of them directly.
So does that mean you have multiple '[username]' shares in smb.conf ?
> > > I tried to create the username_map_script.sh and add the
> > > following
> > > lines (as mentioned in
> > > https://bugzilla.samba.org/show_bug.cgi?id=14901):
> > > min domain uid = 500
> > Try changing the '500' to '0'
> > > username map script = /etc/samba/username_map_script.sh
> > Change that to:
> > username map script = /etc/samba/user.map
> > Create /etc/samba/user.map containing:
> > !root = DOMAIN\Administrator
> Assuming you meant "username map = /etc/samba/user.map" here.
Yes, I did, sorry for the mistake
> I did that both (changed min uid to 0 and set a user.map file) -
> still can't log in :(
This is very strange, I am using Samba 4.15.3 with this smb.conf and I
can log in:
workgroup = SAMDOM
security = ADS
realm = SAMDOM.EXAMPLE.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba Client %h
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
disable netbios = yes
dns proxy = no
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SAMDOM : backend = ad
idmap config SAMDOM : schema_mode = rfc2307
idmap config SAMDOM : range = 10000-999999
template shell = /bin/bash
template homedir = /home/%U
username map = /etc/samba/user.map
vfs objects = acl_xattr
map acl inherit = Yes
# Comment the following 4 lines to act as a print server
printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd
log file = /var/log/samba/%m.log
logging = file
log level = auth_audit:3@/var/log/samba/auth.log
min domain uid = 0
More information about the samba